Steps to reproduce:
1) Upload a file and save it.
2) Edit the file (e.g. at /file/###/edit), and change the 'Filename' of the file, to something more reader-friendly, specifically without the file extension. Save the file.
3) Return to edit the file, try to replace the file -- the file extension is not validated correctly.
This is most noticeable when dealing with a file that is not in Drupal's default list of allowed extensions (e.g. a zip file), because the validation fails, with the message 'Only files with the following extensions are allowed', followed by that default list. Instead, the extension should match whatever the replaced file had.
This is happening because the only allowed extension is being parsed out of the filename property, rather than the file URI. That would be fine if the filename wasn't editable... but it is.
Patch to follow.
Needs work
2.0
Code
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Umm... this feels rather close to SA-CONTRIB-2024-001 . The D8+ versions might not have official security coverage, but it might be prudent for them to get fixed too, especially with the attention that SA will have brought to this project?